Fuzzing everything in 2014 презентация

ever since
Done: binary reversing to malware analysis to cyber investigation, pentesting to blackbox auditing to vulnerability discovery to exploitation…
Founded: Esage Lab => Neuronspace, Malwas, TZOR

for fuzzing everything by design

2. Enforce unnecessary constraints.
E.g. glue mutation with automation with crash monitoring
Kills flexibility => not suitable for fuzzing everything

3. Steep learning curve.
E.g. templates & configs
Is it worthy to learn a system which is constrained anyway?

platform, architecture

Omnipresent.
Hosting platform invariant: VM/hardware/laptop/localnet/clouds...

“LEGO”
Mix & match components
Rapid support for new targets
Hot patching for tweaking

scaling.
Any number of fuzzers running at the same time
0 time to set up new targets

Right now.
No time for development

cscript/wscript, AppleScript…

Native instrumentation
DebugAPI, CrashWrangler, cdb postmortem scripts…

Highly generic mutators
Home-made bitflipping tools, grep/sed/urandom, radamsa…

7 years ago

Dozens of publications, hundreds of tools, thousands of vulns found (=> code audited)

Driven by market and the competition

Not exactly

ClusterFuzz is still beaten by standalone researchers

My results: ~1 night per fuzzer

test cases are bad

Rejected by the validator or not reaching or not triggering vulnerable code paths

Cornerstone: bug-rich branches of code

the already reached paths

Evolutionary input generation is tiny (think Word with embeddings)

generation

Presumably constrained exploit

Loading with .cmd and .bat

CVE-2013-1324: Microsoft Word WPD stack based buffer overflow

target UaFs

Strict syntax-based and/or layered formats
My experience: the better the generator, and the deeper the targeted data layer, the more bugs found

Microsoft DKOM/RPC
Did you know one can send a DKOM/RPC request to the port mapper (135) to enable RDP?

is not the only wide-spread software capable of loading ActiveX…

interfaces or fuzzing automation technology
Yes: Ancient code, hidden/unobvious functionality etc.

Bet on complex data formats
For complex data, code paths exist which are not reachable automatically, which means probably never audited code base and zero competition.

Craft complex fuzzing seeds manually
The rule of “minimal size sample”, as stated in the book “Fuzzing: Brute Force Vulnerability Discovery” is obsolete 2014.

Remove 1-2 data format layers before injecting malformed data
Deep parsers are less audited (researchers are lazy?)
Deep parsers tend to contain more bugs (programmers are lazy?)

Estimate potency of a new vector by dumbest fuzzing prior to investing in smart fuzzing
Criteria: Bugs crowd
Bugs crowd in direction of “less audited” code base

Tweak a lot to get a “feeling” for the particular target

Keep the fuzzing setting dirty
Fuzzing is dirty by design
Pretty lying it into a well-designed system kills flexibility necessary for tweaking & rapid prototyping.

Research, again